It still keeps you in the loop, but doesn’t ask to run shell commands, etc.

That seems like a bad default. VSCode’s agent mode requires approval for shell commands every time by default, with a whitelisting capability (which is itself risky, because hiding shell commands in args to an executable is quite doable). Are people running agents under their own user identity without supervising the commands they run?

The default is ask for approval with option to whitelist certain commands.